Is it time to Fire your network protection vendor?

I hereby solemnly promise that Bromium will never have a product with “fire” in its name. By now everyvendorinthe next-gen IDS / IPS / Firewall / honeypot-as-ultimate-defense-against-the-dark-arts market has a next-gen “fire”-branded product that claims to protect against APTs. “Fire” appliances are easy to sell, so Wall Street swooned for a while. But they don’t deliver value. They are expensive, cost even more to run, and don’t protect your endpoints. Though the vendors’ gleefully assert that endpoint AV is useless against today’s “sophisticated attackers”, their solutions do little more than move AV into the network, with a focus on alerting rather than stopping attacks. Even the worst AV suite can quarantine suspected malware, but with a “fire” product in your network you are deploying a variant of AV that can do little more than bleat. How did we end up here? Well, “fire” appliances are optimized for quick sales: Persuade the customer to test the appliance on a span port on the network. Show alerts for lots of bad stuff crossing the network, and the deal is done. To ensure that there are lots of alerts, the vendors run legacy, unpatched VM images on the appliance that aren’t even properly licensed and bear no resemblance to the software on your actual endpoints. But the result is terrific: Lots of events – and lots of purchase orders. The worst thing about this racket is that these appliances don’t solve the security problem – they make it worse. Bromium is working with a large enterprise with north of 50,000 employees. Their security team receives 6,000 alerts per week from their “fire” product. Through de-duplication in their (expensive) SIEM, they typically reduce those down to 250 alerts a week – each of which is manually investigated – typically taking 2-4 hours, but often twice that, depending on the skill of the investigator. And more often than not, the endpoint is re-imaged just because “it’s simpler” and “we don’t really know if malware executed; re-imaging is safer”. Investigation, analysis and remediation results in 500-1,000 hours of labor, per week, without accounting for end-user downtime. The bad news: Over several months the security team has concluded that over 80% of the alerts are obviously false alarms – there was either no attack or the attack did not execute given the patch level of the endpoint. They have conservatively calculated that they waste well over $1M/year on FALSE POSITIVES! Typically 50 of 6000 alerts are attacks that would execute on the endpoint – under 1%. This matches anecdotal evidence from Bromium customers that about 1% of their off net PCs see some form of malware each month. Of course with vSentry, remediation is eliminated, and if the attack executes, it does so in the narrow confines of a micro-VM from which it can steal nothing and go nowhere. Bromium aside – can you afford to invest in tech that is inaccurate, costs more to run than to buy, and still doesn’t protect the enterprise?